sijie commented on a change in pull request #6716: [Issue #6711]: add audience
verify in AuthenticationProviderToken
URL: https://github.com/apache/pulsar/pull/6716#discussion_r407090833
##########
File path:
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderToken.java
##########
@@ -126,9 +137,40 @@ private static String validateToken(final String token)
throws AuthenticationExc
@SuppressWarnings("unchecked")
private Jwt<?, Claims> authenticateToken(final String token) throws
AuthenticationException {
try {
- return Jwts.parser()
+ Jwt<?, Claims> jwt = Jwts.parser()
.setSigningKey(validationKey)
.parse(token);
+
+ if (audienceClaim != null) {
+ if (audience == null){
+ throw new JwtException("Token Audience Claim [" +
audienceClaim
+ + "] configured, but Audience
stands for this broker not.");
+ }
+
+ Object object = jwt.getBody().get(audienceClaim);
+ if (object == null) {
+ throw new JwtException("Found null Audience in token, for
claimed field: " + audienceClaim);
Review comment:
If the broker configures the audience claim and receives a token that
doesn't contain the audience claim, we should throw AuthenticationException.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
